moral and ethical awareness education security training issues fissea 2004 dr christopher v. feudo...
TRANSCRIPT
Moral and Ethical Awareness Education Security Training Issues
Moral and Ethical Awareness Education Security Training Issues
FISSEA 2004FISSEA 2004
Dr Christopher V. Feudo
Director, Security and Privacy Professional Services
EDS
Dr Christopher V. Feudo
Director, Security and Privacy Professional Services
EDS
EDS: A Global CompanyEDS: A Global Company
• The leading global services company
• More than 140,000 employees in 60 countries
• Revenues of $21.5 billion in 2002
• Provides strategy, implementation, business transformation and operational solutions for clients managing the complexities of today’s economy
• Brings together the world’s best technologies to address critical client business imperatives
EDS is the recognized
global leader in ensuring
clients achieve superior
value in the Digital Economy
• By delivering the right strategies, solutions and services
• Overview
• Terms and Definitions
• Background
• Morals and Ethics Issues
/Processes
• Laws and Expectations
• Security Awareness
• Summary
AgendaAgenda
FISSEA
Terms and DefinitionsTerms and Definitions
• Script kiddie is a term that refers to anyone who is not technologically sophisticated enough to understand the Internet vulnerability they are attempting to exploit, who often uses tools created by others
• Hacker, either white hat (good) or black hat (bad), is the most commonly used term for people who find software vulnerabilities
• Cracker applies to those who break into software or Web servers, often with criminal intentions.
• Ethics, in simple terms, is the study of morality.
• Morality refers to the "rightness" or "goodness" of matters.
• Values are the rules by which we make decisions about right and wrong, should and shouldn't, good and bad. They also tell us which are more or less important.
• Character is the moral quality and direction of one’s decisions and behavior
• Professionalism
• Characterized by or conforming to the technical or ethical standards of a profession [emphasis added]
• Exhibiting a courteous, conscientious, and generally businesslike manner in the workplace
• Of high moral character
• Security Awareness - to ensure all personnel understand the necessity of, and practice of safeguarding information processed, stored, or transmitted on all information systems
The Threat and the PlayersThe Threat and the Players
Information WarriorInformation Warrior
TerroristTerrorist
IndustrialEspionageIndustrialEspionage
Revenge, Retribution, Financial Gain, Institutional ChangeRevenge, Retribution, Financial Gain, Institutional Change
Reduce Decision Space, Strategic Advantage, Chaos, Target Damage
Reduce Decision Space, Strategic Advantage, Chaos, Target Damage
Monetary GainThrill, Challenge, PrestigeMonetary GainThrill, Challenge, Prestige
Thrill, ChallengeThrill, Challenge
National IntelligenceNational Intelligence
Institutional HackerInstitutional Hacker
Recreational HackerRecreational Hacker
Information for Political, Military, Economic AdvantageInformation for Political, Military, Economic Advantage
Visibility, Publicity, Chaos, Political ChangeVisibility, Publicity, Chaos, Political Change
Competitive AdvantageIntimidationCompetitive AdvantageIntimidation
Organized CrimeOrganized Crime
NationalSecurityThreats
NationalSecurityThreats
SharedThreatsSharedThreats
LocalThreatsLocal
Threats
ThreatThreat = [Equipment + Knowledge +Skills] + Intent [ Capability ]
High
Low
1980 1985 1990 1995 2000
password guessing
self-replicating code
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sweepers
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
DDOS attacks
Attack Sophistication vs. Intruder Technical Knowledge
20052000
Wireless
Vulnerability Opportunities Vulnerability Opportunities
New VulnerabilitiesDetected
0
2000
4000
6000
8000
10000
2000 2001 2002 2003
• Security threats are increasing in COMPLEXITY, FREQUENCY and SEVERITY
• Each week over 100 new viruses are identified and 60 new vulnerabilities are discovered
• There are over 57000 Hacker sites for people to peruse
• $266 BILLION - Estimated cost of damages caused by viruses and computer cracking in U.S. firms last year, (InformationWeek)
• $1.6 TRILLION - Estimated worldwide loss last year due to downtime resulting from security breaches and virus attacks. (InformationWeek)
-- Source: CERT Data. 2003 figure is an estimate.
New network vulnerabilities are being detected on a daily basis – 4,129 in 2002 and over 8,000 expected in 2003
Agency 2003Score
2003Grade
2002 Score 2002 Grade 2001Score
2001Grade
2000Score
2000 Grade
Agriculture 40 F 36 F 31 F 56 F
AID 70.5 C- 52 F 22 F 72 C-
Commerce 72.5 C- 68 D+ 51 F 72 C-
DOD* 65.5 D 38 F 40 F 69 D+
Education 77 C+ 66 D 33 F 75 C
Energy 59.5 F 41 F 51 F INC INC
EPA 74.5 C 63 D- 69 D+ 64 D
GSA 65 D 64 D 66 D 61 D-
HHS 54 F 61 D- 43 F 58 F
DHS 34 F -- -- -- -- -- --
HUD 40 F 48 F 66 D 73 C-
Interior 43 F 37 F 48 F 17 F
Justice 55.5 F 56 F 50 F 52 F
Labor 86.5 B 79 C+ 56 F 38 F
NASA 60.5 D- 68 D+ 70 C- 60 D-
NRC 94.5 A 74 C 34 F INC INC
NSF 90.5 A- 63 D- 87 B+ 80 B-
OPM 61.5 D- 52 F 39 F 59 F
SBA 71 C- 48 F 48 F 55 F
SSA 88 B+ 82 B- 79 C+ 86 B
State 39.5 F 54 F 69 D+ 75 C
Transportation 69 D+ 28 F 48 F INC INC
Treasury* 64 D 48 F 54 F 65 D
VA* 76.5 C 50 F 44 F 65 D
Government-wide Average 65 D 55 F 53 F INC D-
Federal Computer Security Grades 2000-2003
Attack Approach Attack Approach
• There are two primary methods that hackers rely upon to disrupt the Web operations of major companies and organizations
– attackers break into systems by "taking advantage of holes in corporate operating systems and applications that are out there on Web servers
– attackers take advantage of easy-to-guess passwords -- and this can come both from outside hackers and from people working within company.
"About 80 percent of the time, the bad guys get in using one of these two methods," Clyde (from Symantec) told NewsFactor.
• Clyde estimates that only about 40 percent of the networks on the Internet use a firewall to keep threats at bay, and that well over half of home PC users do not keep their anti-virus software updated and in place.
Wake Up Call Wake Up Call
• 20 Young Hackers' Plot To Sabotage Internet Investigated By FBI – TIMES
• Four Israeli Youths have been arrested in that country on suspicion of planning to disrupt computer systems - FBI and Israeli national police
• Code Red (Mountain Dew): 1 million computers affected; Clean-up: $1.1 billion; Lost productivity: $1.5B
• SINGAPORE Nov 13, 2003l– Two 15-year-old hackers have been placed under probation for two years, one for flooding his teacher’s e-mail inbox with more than 160,000 messages, the other for posing as the Education Minister
• We have Dutch-born Jan de Wit, the 20-year-old who wrote the Anna virus using an online worm generator kit
• Michael Buen and Onel de Guzman, the 20-something Filipino college students who allegedly wrote the ILOVEYOU virus - 40 million computers affected; $8.7 billion for clean-up and lost productivity
• MafiaBoy, the 17-year-old Canadian who created one of the best known denial-of-service attacks in February, 2000; and Benjamin Troy Breuninger, the recently sentenced 22-year-old who broke into the Lawrence Livermore Labs
• A young hacker was caught breaking into NASA's computers and sentenced to six months in jail - he took possession of $1.7 million in software.
• Curador is a 18-year old hacker from rural Wales who in the winter of 2000 stole an estimated 26,000 credit cards numbers from a group of e-commerce web sites, and posted the numbers on the web.
The “Why”The “Why”
• A teenager from the U.S. - he was trying to impress other youths
• I was just running my mouth, trying to brag," said another youth
• "It was teenage talk, is what it was - "I've been throwing up nonstop," said still another
• “I did it for the thrill and challenge”
• “I wanted to see if I could do it”
• “I did not realize the consequences of my action”
• “I wanted to be cool”
• "it was the first time I was given complete power over something - I could do whatever I wanted, and there was no one there to do anything about it"
Moral Leadership: A 21st Century ImperativeMoral Leadership: A 21st Century Imperative
• Moral leadership is the key issue at all levels for the 21st Century.
• Educators (and Parents) have the unique opportunity to teach and to model such leadership. They can literally take the moral high ground.
• This opportunity has a price however. To walk-our-talk, to serve as a voice of conscience to leaders, to prepare a discerning citizenry and to avoid being hypocritical "do as I say, not as I do" moralists, we must get our collective act together first.
• Far too many kids aren't getting (character education) from their parents," said Josephson, founder of Character Counts and the Josephson Institute of Ethics. "And if the schools don't do it, they won't learn it."
• Programs that receive federal funding focus on six character elements: caring, civic virtue and citizenship, justice and fairness, respect, responsibility and trustworthiness.
• Two-thirds of American teenagers claim that when they are adults, they will have no hesitations about padding their business expense accounts or cheating on their taxes - The Josephson Institute of Ethics 1999
" Sims Online 2004" A 17 Year old teen plays a virtual madame who runs a brothel
and steals money from other players. “His” name was Evangeline.
Why Do We Need Morals and Values?Why Do We Need Morals and Values?
• There is a heightened awareness in our society that that there is something WRONG with how we are raising our children
– More than three-quarters of all Americans believe that this country is in serious moral and spiritual decline.
• The way our children learn values is elusive at best – with our busy schedules, in some cases, parents equate buying things for their children with caring for them
• Situational Ethics has taken front row
– 70% of high school students admitted cheating on an exam at least once in the last year
– 78% said they had lied two or more times, and an amazing 47% acknowledged having stolen something from a store in the last 12 months *
• As society scrambles to find new ways of preventing anti-social behavior on the Net, schools, communities and federal agencies are increasingly looking to the importance of teaching good old ethics: standards that anyone can use to determine right from wrong.
– the Justice Department is touting ethics education as a potentially powerful tool for addressing computer crime, from theft of intellectual property to digital vandalism - $300K seed money.
– the Education Department
• "It is unfortunate, but if a [hacker] does not have an 'inner voice' telling him or her the difference between right and wrong, [s/he] may be a lost cause - former hacker Chris Goggans (now CTO of an Internet security company)
*According to a recent national poll of more than 20,000 middle and high school students conducted by the Josephson Institute of Ethics
Character Quotes Character Quotes
• HERACLITUS (c. 540 - c. 480 BC) -- Greek philosopher "A man's character is his fate."
• BOOKER T. WASHINGTON (1856-1915) -- African-American educator"Character is power."
• RALPH WALDO EMERSON (1803-1882) -- American writer and philosopher"Our people are slow to learn the wisdom of sending character instead of talent to Congress. Again and again they have sent a man of great acuteness, a fine scholar, a fine forensic orator, and some master of the brawls has crunched him up in his hands like a bit of paper."
• RICHARD NIXON (1913-1994)"With all the power that a President has, the most important thing to bear in mind is this: You must not give power to a man unless, above everything else, he has character. Character is the most important qualification the President of the United States can have."
• LYNDON JOHNSON (1908-1973)"The fact that a man is a newspaper reporter is evidence of some flaw of character."
• CALVIN COOLIDGE (1872-1933)"Character is the only secure foundation of the state."
To Educate A Person In Mind And Not In Morals Is To Educate A Menace Society. (Theodore Roosevelt)
Benefits of early Moral educationBenefits of early Moral education
• The University of South Carolina's Center for Child and Family Studies evaluated its state's four-year character-education initiative. Researchers discovered:
• 91 percent reported improvement in student attitudes
• 89 percent reported improvement in student behavior
• 60 percent reported improvement in academic performance
• More than 65 percent reported improved teacher and staff attitudes
Basis of Moral Decisions
• Do what the Bible tells you”--Divine Command Theories
• “Follow your conscience”--The Ethics of Conscience
• “Watch out for #1”--Ethical Egoism
• “Do the right thing”--The Ethics of Duty
• “Don't dis' me”--The Ethics of Respect
• “...all Men are created ...with certain unalienable Rights”--The Ethics of Rights
• “Make the world a better place”--Utilitarianism
• “Daddy, that’s not fair”--The Ethics of Justice
• “Be a good person”--Virtue Ethics
Code of Ethics Canons
Protect society, the commonwealth, and the infrastructure
• Promote and preserve public trust and confidence in information and systems.
• Promote the understanding and acceptance of prudent information security measures.
Act honorably, honestly, justly, responsibly, and legally
• Tell the truth; Treat all constituents fairly.
• Observe all contracts and agreements, express or implied.
Provide diligent and competent service to principals
• Preserve the value of their systems, applications, and information.
• Avoid conflicts of interest or the appearance thereof.
Advance and protect the profession
• Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession.
• Take care not to injure the reputation of other professionals through malice or indifference.
Ethical Decision Making Model
• Evaluate Information
• Consider how our decision might affect stakeholders
• Consider what ethical values are relevant to the situation
• Determine the best course of action that takes into account relevant values and stakeholders’ interests
Principles of BehaviorPrinciples of Behavior
Honesty
– to be truthful in all our endeavors; to be honest and forthright with one another and with customers, communities, suppliers, and shareholders.
Integrity
– to say what we mean, to deliver what we promise, to fulfill our commitments, and to stand for what is right.
Respect
– to treat one another with dignity and fairness, appreciating the diversity of our workforce and the uniqueness of each employee.
Trust
– to build confidence through teamwork and open, candid communication.
Responsibility
– to take responsibility for our actions, and to speak up -- without fear of retribution -- and report concerns in the workplace, including violations of laws, regulations and company policies, and seek clarification and guidance whenever there is doubt.
Citizenship
– to obey all the laws and to do our part to make the communities in which we live and work better.
Broader View of Moral and Ethical IssuesBroader View of Moral and Ethical Issues
As the Association for Computing Machinery states in its Code of Ethics and Professional Conduct, computing professionals are obligated to heed a common set of moral imperatives that reflect duties to (among others) foster human well-being, avoid harm to others, be honest and trustworthy, respect privacy, and give proper credit for intellectual property.
The Ten Moral and Ethical Commandments
• Thou shall not use a computer to harm people.
• Thou shall not interfere with other people’s computer work.
• Thou shall not snoop around in other people’s computer files.
• Thou shall not use a computer to steal.
• Thou shall not use a computer to bear false witness
• Thou shall not copy or use proprietary software for which you have not paid
• Thou shall not use other people’s computer resources without authorization or proper compensation.
• Thou shall not appropriate other people’s intellectual output.
• Thou shall think about the social consequences of the program you are writing or system you are designing.
• Thou shall use a computer in ways that ensure consideration and respect for your fellow humans.
What is a Character Education ProgramWhat is a Character Education Program
Thomas Lickona has defined character education as:
• The deliberate, proactive effort to develop good character in kids—or, more simply, to teach children right from wrong. It assumes that right and wrong do exist, that there are objective moral standards that transcend individual choice—standards like respect, responsibility, honesty, and fairness—and that we should teach these directly to young people.
Lickona (1991) has identified the following facets of character education programs:
• the direct teaching of character values within the school curricula,
• high expectation for responsible behavior,
• a process for implementing positive values when making decisions,
• visual reinforcement of character values to keep students focused on the words, concepts and behaviors,
• a school culture that fosters positive peer recognition and empowers all members of the school community to exemplify behaviors consistent with respect and responsibility and
• parent, student and community involved in decision making of the character education programs"
Eleven Principles of Effective Character Education* Eleven Principles of Effective Character Education*
• Principle 1 Promotes core ethical values as the basis of good character.
• Principle 2 Defines "character" comprehensively to include thinking, feeling, and behavior.
• Principle 3 Uses a comprehensive, intentional, proactive, and effective approach to character development.
• Principle 4 Creates a caring school community.
• Principle 5 Provides students with opportunities for moral action.
• Principle 6 Includes a meaningful and challenging academic curriculum that respects all learners, develops their character, and helps them to succeed.
*CEP's Character Education Standards
•Principle 7 Strives to foster students’ self motivation.
•Principle 8 Engages the school staff as a learning and moral community that shares responsibility for character education and attempts to adhere to the same core values that guide the education of students.
•Principle 9 Fosters shared moral leadership and long range support of thecharacter education initiative.
•Principle 10 Engages families and community members as partners in the character-building effort.
•Principle 11 Evaluates the character of the school, the school staff’s functioning as character educators,and the extent to which students manifest good character.
Character Education WebsitesCharacter Education Websites
• Character Counts! National [USA] Homepage - free materials for developing six pillars of character
• CharacterEd.net - well organized resources for students, parents, families, teachers
• Character Education at the Center for Advancement of Ethics & Character - School of Education, Boston University
• Character Education Curriculum Reviews & Resources - California Department of Education
• Character Education - ERIC Resources - handy page, easy to use, has main links & resources
• Character Education Partnership - coalition of organizations and individuals dedicated to developing moral character and civic virtue in youth
• Character Education Resources - Midge Fraizel's comprehensive site
• Character Education Utah Homepage - resources and downloads
• Character Education Resources - free resources, lesson plans, materials
• International Center for Character Education - online courses, Masters & PhD degrees in character education
• Jefferson Center for Character Education - produce & promote programs to teach children in grades K through 12 concepts, skills and behavior of good character, common core values, personal and civic responsibility
• National [USA] Character Education Center - pre-school through high school resources
Legal Implications
• U.S. Laws
– Criminal Code
– Patent and Copyright Laws
– Trade Secrets
• Liability
• Privacy protection
Legal Issues - US Laws
• US Laws• Criminal Liability
• Computer Security Act of 1987• creates a means for establishing minimum acceptable
security practices for Federal Computer Systems• Computer Fraud and Abuse Act (18 USC 1030)
• Criminal Penalties for unauthorized Access• Economic Espionage Act of 1996
• Penalties for unauthorized possession of “trade secrets”• 15 years, $10Million and equipment forfeiture
• State Laws• At least 47 states have applicable laws
COMPUTER FRAUD AND ABUSE ACT OF 1984 (Hacker Law)
• Prohibits:
– unauthorized access to computers with national defense or foreign relations data
– unauthorized access to computers with banking and financial information
– Unauthorized access, use, modification, destruction, or disclosure of a computer/data operated on behalf of the US Government
• Penalties:
– fines from $ 5000 to $100,000
– imprisonment from 1 to 20 years (or both)
COMPUTER FRAUD AND ABUSE ACT OF 1986
• Revised Computer Fraud and Abuse Act of 1984
• Increased penalties for fraud
• New crimes:
– Intentionally accessing a Federal Interest Computer without authority, and thereby:
• obtaining anything of value;
• preventing authorized use; or
• altering information.
– Trafficking in passwords
A Federal Interest Computer is: - a computer exclusively for the use of a financial institution or the united states government, or - a computer which is one of two or more computers used in committing the offense, not all of which are in the same state.
Patriot Act 2001Patriot Act 2001
• Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
– It creates new crimes, new penalties, and new procedural efficiencies for use against domestic and international terrorists
– Adds terrorist and computer crimes to Title III’s predicate offense list
– Allows victims of computer hacking to request law enforcement assistance in monitoring the “trespassers” on their computers
– It places electronic trespassers on the same footing as physical trespassers
– Now, hacking victims can seek law enforcement assistance to combat hackers, just as burglary victims have been able to invite officers into their homes to catch burglars.
Press Releases From Recently Prosecuted Computer Crime Cases Press Releases From Recently Prosecuted Computer Crime Cases
Year 2004
- Hacker Pleads Guilty in Manhattan Federal Court to Illegally Accessing New York Times Computer Network (January 8, 2004)
Year 2003
- Milford, Ohio Man Pleads Guilty to Hacking (December 18, 2003)- Former Hellmann Logistics Computer Programmer Sentenced for Unauthorized Computer Intrusion (December 5, 2003)- Former Employee of American Eagle Outfitters Sentenced to Prison for Password Trafficking and Computer Damage (December 2, 2003)- Three Men Indicted for Hacking into Lowe's Companies' Computers with Intent to Steal Credit Card Information (November 20, 2003)- Two Alleged Computer Hackers Charged in Los Angeles as Part of Nationwide 'Operation Cyber Sweep' (November 20, 2003)- Two Alleged Computer Hackers Charged in Los Angeles as Part of Nationwide 'Operation Cyber Sweep' (November 20, 2003) - Dallas, Texas FBI Employee Indicted for Public Corruption (November 5, 2003)- Disgruntled Philadelphia Phillies Fan Charged with Hacking into Computers Triggering Spam E-mail Attacks (October 7, 2003)- Former Employee of Viewsonic Pleads Guilty to Hacking into Company's Computer, Destroying Data (October 6, 2003)- President of San Diego Computer Security Company Indicted in Conspiracy to Gain Unauthorized Access into Government Computers (Sep 29, 2003)- Juvenile Arrested for Releasing Variant of Blaster Computer Worm That Attacked Microsoft (September 26, 2003)- U.S. Charges Hacker with Illegally Accessing New York Times Computer Network (September 9, 2003)- Minneapolis, Minnesota 18 year old Arrested for Developing and Releasing B Variant of Blaster Computer Worm (August 29, 2003)- Former Computer Technician in Douglasville, Georgia Arrested for Hacking into Government Computer Systems in Southern California (Augt 25, 2003)- Russian Man Sentenced for Hacking into Computers in the United States (July 25, 2003)- FBI Employee Arrested and Charged in Three Federal Indictments (July 17, 2003)- Queens, New York Man Pleads to Federal Charges of Computer Damage, Access Device Fraud and Software Piracy (July 11, 2003)- Kazakhstan Hacker Sentenced to Four Years Prison for Breaking into Bloomberg Systems and Attempting Extortion (July 1, 2003)- Southern California Man Who Hijacked Al Jazeera Website Agrees to Plead Guilty to Federal Charges (June 12, 2003)- Computer Hacker Sentenced to One Year and One Day And Ordered to Pay More than $88,000 Restitution For Series of Computer Intrusions and Credit Card Fraud (June 12, 2003)- Three Californians Indicted in Conspiracy to Commit Bank Fraud and Identity Theft (May 12, 2003)- Ex-employee of Airport Transportation Company Guilty of Hacking into Company's Computer (April 18, 2003)- San Jose, California Man Indicted for Theft of Trade Secrets and Computer Fraud (April 2, 2003)- Student Charged with Unauthorized Access to University of Texas Computer System (March 14, 2003)- St. Joseph Man Pleads Guilty in District's First Computer Hacking Conviction (March 13, 2003)- Computer Hacker Pleads Guilty to Computer Intrusion and Credit Card Fraud (March 13,2003)- California Woman Convicted for Unauthorized Computer Access to Customer Account Information in Credit Union Fraud Prosecution (March 10, 2003)- Los Angeles, California Man Sentenced to Prison for Role in International Computer Hacking and Internet Fraud Scheme (February 28, 2003)- Former Employee of American Eagle Outfitters Indicted on Charges of Password Trafficking and Computer Damage (February 26, 2003)- U.S. Convicts Kazakhstan Hacker of Breaking into Bloomberg L.P.'s Computers and Attempting Extortion (February 26, 2003)- Ex-employee of Airport Transportation Company Arrested for Allegedly Hacking Into Computer, Destroying Data (February 20, 2003)- Ohio Man Attacked NASA Computer System Shutting Down Email Server (February 13, 2003)- Former Employee of Viewsonic Arrested on Charges of Hacking into Company's Computer, Destroying Data (February 6, 2003)- Pittsburgh, Pennsylvania Man Convicted of Hacking a Judge's Personal E-Mail Account (January 23, 2003)
Security Awareness Process
• A Self-Audit of Your Awareness Plan
– understanding the existing environment and anticipating change
– what should be included in a security awareness program geared for the today and beyond
– conducting a technology inventory
• Getting management’s Attention...and Commitment
– determining management's needs
– building your case
– "marketing" your program
• Awareness Program Goals
– developing awareness objectives and criteria
– developing a business case
– developing a charter
– influencing and motivating employees
– communicating your ideas
• Getting Started
– working with your customers
– staffing for awareness
– who is responsible for what
– identifying your target audience
– developing organization-wide programs
– implementing pilot projects
• Identifying the Awareness Tools That Work Best for Your Organization
• Monitoring the Success of Your Program
Computer Security Act of 1987 Computer Security Act of 1987
• The Computer Security Act of 1987 mandated the following:
– Improvement of privacy for unclassified, sensitive information in Federal computer systems.
– Preparation and periodic update by Federal agencies of security plans for their computers that process sensitive information.
– Periodic training in computer security awareness and accepted computer practices for all Federal and contractor employees who are involved with the management, use, and operation of each Federal computer system within or under the supervision of that agency.
National Strategy for Homeland SecurityNational Strategy for Homeland Security
• The purpose of the Strategy is to
– mobilize and organize our Nation to secure the U.S. homeland from terrorist attacks.
– This is an exceedingly complex mission that requires coordinated and focused effort from our entire society—the federal government, state and local governments, the private sector, and the American people.
• The strategic objectives of homeland security in order
of priority are to:
• Prevent terrorist attacks within the United States;
• Reduce America’s vulnerability to terrorism; and
• Minimize the damage and recover from attacks that
National Strategy to Secure CyberspaceNational Strategy to Secure Cyberspace
• Issued February 14, 2003 by President Bush
• The National Strategy identifies the following strategic objectives:
– Prevent cyber attacks against America's critical infrastructures
– Reduce national vulnerability to cyber attacks
– Minimize damage and recovery time from cyber attacks that do occur
• The National Strategy articulates five national priorities:
– A National Cyberspace Security Response System
– A National Cyberspace Security Threat and Vulnerability Reduction Program
– A National Cyberspace Security Awareness and Training Program
– Security Governments' Cyberspace
– National Security and International Cyberspace Security Cooperation
OMB Circular No. A-130OMB Circular No. A-130
• The OMB Circular No. A-130 establishes minimum controls that are to be included in Federal automated information security programs.
• It also assigns Federal agency responsibilities for the security of automated information and links agency automated information security programs and agency management control systems.
• It further states what techniques can be used to collect the electronic information, and it discusses the safeguards that agencies must maintain to protect the information.
•
SummarySummary
• The study of ethics involves questions of “right and proper conduct”
– what is good, what is bad, what is right, what is wrong
– in our behavior toward one another.
• In the world of computing, it is tempting to oversimplify ethical problems
– by reducing them to issues of computer crime and data security.
• In reality, the moral concerns and dilemmas confronting computing professionals are far more broad.
– Principles of Behavior
• Moral and Ethical Training must be taught K-12 and beyond
• We Pay (Legal) When we Play (Illegally)
• We need to know the value of our data and what to protect and why
Trust - Training – Discipline - Character
Partnership – Commitment - Success
VS
“It is Stupidity rather than Courage to Refuse to Recognize Danger when it is Close Upon You”
- Sherlock Holmes
“It is Stupidity rather than Courage to Refuse to Recognize Danger when it is Close Upon You”
- Sherlock Holmes
Food for Thought
QuestionsQuestions